i have Indeed checked everything .it seems as though nothing is going wrong as of now...
#chkconfig --list
xinetd based services:
finger: off
linuxconf-web: off
rexec: off
rlogin: off
rsh: off
swat: off
ntalk: off
talk: off
telnet: on --> i have allowed a single pc to connect to server (192.168.1.31
rivate lan)
tftp: off
wu-ftpd: off
comsat: off
imap: off
imaps: off
ipop2: off
ipop3: off
pop3s: off
eklogin: off
gssftp: off
klogin: off
krb5-telnet: off
kshell: off
o/p of #w
1:06am up 7 day, 21:45, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
anoop pts/0 node2 7:27pm 0.00s 0.79s 0.01s w
i did a #cat /var/log/messages | grep ftp and got these results..
Jul 8 05:15:25 tpc ftpd[1559]: FTP LOGIN FROM term2 [192.168.1.12], tpc
Jul 8 05:16:29 tpc ftpd[1559]: FTP session closed
-->Jul 8 06:50:33 tpcisp ftpd[15248]: ANONYMOUS FTP LOGIN FROM 202.79.127.22 [202.79.127.22], mozilla@
-->Jul 8 06:51:02 tpcisp ftpd[15248]: exiting on signal 11: Segmentation fault
Jul 8 15:32:20 tpcisp ftpd[15319]: FTP session closed
Jul 8 15:32:51 tpcisp ftpd[15320]: FTP session closed
-->Jul 8 10:06:12 tpc ftpd[15321]: ANONYMOUS FTP LOGIN FROM 202.112.25.201 [202.112.25.201], mozilla@
-->Jul 8 10:07:13 tpc ftpd[15321]: exiting on signal 11: Segmentation fault
-->Jul 9 00:15:55 tpc ftpd[1578]: ANONYMOUS FTP LOGIN FROM 155.230.106.88 [155.230.106.88], mozilla@
-->Jul 9 00:16:40 tpc ftpd[1578]: exiting on signal 11: Segmentation fault
Jul 9 05:46:41 tpc ftpd[1577]: FTP session closed
-->Jul 9 06:50:40 tpc ftpd[1612]: lost connection to 205.c210-85-67.ethome.net.tw [210.85.67.205]
Jul 9 06:50:40 tpc ftpd[1612]: FTP session closed
-->Jul 9 07:35:16 tpc ftpd[1632]: getpeername (in.ftpd): Transport endpoint is not connected
-->Jul 9 21:41:27 tpc ftpd[2368]: ANONYMOUS FTP LOGIN FROM 80.48.241.245 [80.48.241.245], mozilla@
-->Jul 9 21:42:41 tpc ftpd[2368]: exiting on signal 11: Segmentation fault
when ftp was enabled earlier ,for every login [ftp session begin] there was a corresponding logout[ftp session closed ] entry ...with same pid ,here ftpdxxxx
but for these unwanted logins [which are the same entries in o/p of 'last' command] there is no logout entry...!!
the connections are from diff IP's ..
but if you notice there is a segmentation fault error [signal 11] ..is it possible that due to this
sig 11, wtmp was not updated...?? how can i find out what could possibly be the reason behind these
segmentation fault error..?
cat /var/log/xferlog doesn't show anything...
#last still shows all these...
anoop pts/0 node2 Wed Jul 10 19:27 still logged in <-- [that's me ]
anoop pts/0 node2 Wed Jul 10 19:09 - 19:12 (00:03) <-- [that's me ]
root tty2 Wed Jul 10 18:56 - 18:57 (00:01) <-- [that's me 2 ]
anoop tty1 Wed Jul 10 18:52 - 18:55 (00:03)
root tty5 Wed Jul 10 18:32 - 18:41 (00:09)
root tty4 Wed Jul 10 18:30 - 18:41 (00:11)
root tty3 Wed Jul 10 18:29 - 18:41 (00:12)
root tty1 Wed Jul 10 18:18 - 18:52 (00:34)
root tty2 Wed Jul 10 18:00 - 18:41 (00:41)
ftp ftpd2368 80.48.241.245 Wed Jul 9 21:41 still logged in <-- { mystery]
ftp ftpd1578 155.230.106.88 Tue Jul 9 00:15 still logged in <-- { mystery]
tpc ftpd1571 term2 Tue Jul 8 05:22 - 05:23 (00:01)
tpc ftpd1566 term2 Tue Jul 8 05:18 - 05:21 (00:03) <-- [ trusted user ]
tpc ftpd1564 term2 Tue Jul 8 05:18 - 05:18 (00:00)
assuming 2368 and 1578 in ftpd2368 and ftpd1578 are pid's I executed the "lsof" command
but that didn't help either...no signs of these entries..
could it be that wtmp entry is corrupted or is my machine already under the control of some hacker..?
unfortunately i haven't configured tripwire so that won't help...!!
thanx for response..
hope somebody can help!!..
anoop
